Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 10:21
Static task
static1
Behavioral task
behavioral1
Sample
RPO-09876543456.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
RPO-09876543456.exe
Resource
win10v2004-20220812-en
General
-
Target
RPO-09876543456.exe
-
Size
1.2MB
-
MD5
87f1444dda3a5714f282d0048944d7b8
-
SHA1
96fa777c406409208dc186d66588fe2d920c2c07
-
SHA256
250fbfdaf7c00e15d0d35edba1b28d7dfa2ca28fedbf887fbe4269dee364d066
-
SHA512
0eaf418b96dce98d7234490cc902d2d4e1a80b82a0fcdfd94ff1b79b68f4fb4d0ab0e3a2d2fa743b02d14347a5a4bd4b316763905e37a276ce42aca03beed555
-
SSDEEP
24576:e+YAuCcFjoX4LltOOr3C1zC+GGOG4emawVl9Rv:DPc9o473H+GS4XawVr1
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
fuxvgibrz.exefuxvgibrz.exepid process 2176 fuxvgibrz.exe 2144 fuxvgibrz.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
fuxvgibrz.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fuxvgibrz.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fuxvgibrz.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fuxvgibrz.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fuxvgibrz.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ojvgfjyyrus = "C:\\Users\\Admin\\AppData\\Roaming\\ctnwtro\\cmlt.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\fuxvgibrz.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Te" fuxvgibrz.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fuxvgibrz.exedescription pid process target process PID 2176 set thread context of 2144 2176 fuxvgibrz.exe fuxvgibrz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
fuxvgibrz.exepid process 2144 fuxvgibrz.exe 2144 fuxvgibrz.exe 2144 fuxvgibrz.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
fuxvgibrz.exepid process 2176 fuxvgibrz.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fuxvgibrz.exedescription pid process Token: SeDebugPrivilege 2144 fuxvgibrz.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
fuxvgibrz.exepid process 2176 fuxvgibrz.exe 2176 fuxvgibrz.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
fuxvgibrz.exepid process 2176 fuxvgibrz.exe 2176 fuxvgibrz.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
RPO-09876543456.exefuxvgibrz.exedescription pid process target process PID 2592 wrote to memory of 2176 2592 RPO-09876543456.exe fuxvgibrz.exe PID 2592 wrote to memory of 2176 2592 RPO-09876543456.exe fuxvgibrz.exe PID 2592 wrote to memory of 2176 2592 RPO-09876543456.exe fuxvgibrz.exe PID 2176 wrote to memory of 2144 2176 fuxvgibrz.exe fuxvgibrz.exe PID 2176 wrote to memory of 2144 2176 fuxvgibrz.exe fuxvgibrz.exe PID 2176 wrote to memory of 2144 2176 fuxvgibrz.exe fuxvgibrz.exe PID 2176 wrote to memory of 2144 2176 fuxvgibrz.exe fuxvgibrz.exe -
outlook_office_path 1 IoCs
Processes:
fuxvgibrz.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fuxvgibrz.exe -
outlook_win_path 1 IoCs
Processes:
fuxvgibrz.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fuxvgibrz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RPO-09876543456.exe"C:\Users\Admin\AppData\Local\Temp\RPO-09876543456.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fuxvgibrz.exe"C:\Users\Admin\AppData\Local\Temp\fuxvgibrz.exe" "C:\Users\Admin\AppData\Local\Temp\fnbiv.au3"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fuxvgibrz.exe"C:\Users\Admin\AppData\Local\Temp\fuxvgibrz.exe" "C:\Users\Admin\AppData\Local\Temp\fnbiv.au3"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dlhsqzxunv.hfiFilesize
55KB
MD57c871d775d5fe3cb75b658c75e07ea20
SHA132a2fbf6caa9fe6d7e9f4054dbf5fc6f1a49caf6
SHA256be36d489cdd236b95d4b6cec9b04d5f290997ff4a99df134ecd7f24b2ff75275
SHA512d1882b5ca4efc6802e3f98e154cd2ea7e4750b6f37900b3ae807d9e1ce653f33c02783e97d09dc4fd35cf3d0dc9ed710453f6bddbb78a719dc286dd8d2ddca41
-
C:\Users\Admin\AppData\Local\Temp\fnbiv.au3Filesize
5KB
MD5e32a918af0a0d7dfef22102b72ccc289
SHA15960785cd6e71dea7d5c2ed67243e7d756add22e
SHA256fddb8bf6fd35ebaae071398208ebf1cc23ae881275f9c65faf283ba9cf206564
SHA5120accd8a0c8ed2b7c41916f92e9a79bb5055cf403608a672e75851b4c87ea06d9798b67eab705a53357b8559b75ff8ad3ead54642825be4674cfdf0febd64d888
-
C:\Users\Admin\AppData\Local\Temp\fuxvgibrz.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\fuxvgibrz.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\fuxvgibrz.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\nqeplwpn.vieFilesize
296KB
MD55f082e0fee917aea20b8ec142381129b
SHA17b3125e086e73bb3fbc4d2f655ff4d2faf7c27f4
SHA2565647a05c8d0ab007763c3dc1d7b185e530a2f43a2979685d75a6e1ef1f934bb3
SHA512c9bfc40c2c0c31e8f96198868d35f49180889020268802c0a10c65c9148a6df573812087caf2948a72fa94595fa4122db60a96babb301c320b4c230f37cd0887
-
memory/2144-138-0x0000000000000000-mapping.dmp
-
memory/2144-140-0x0000000005C10000-0x00000000061B4000-memory.dmpFilesize
5.6MB
-
memory/2144-141-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2144-142-0x0000000005510000-0x00000000055AC000-memory.dmpFilesize
624KB
-
memory/2144-143-0x0000000005B60000-0x0000000005BC6000-memory.dmpFilesize
408KB
-
memory/2144-144-0x0000000008170000-0x00000000081C0000-memory.dmpFilesize
320KB
-
memory/2144-145-0x0000000008260000-0x00000000082F2000-memory.dmpFilesize
584KB
-
memory/2144-146-0x0000000008310000-0x000000000831A000-memory.dmpFilesize
40KB
-
memory/2176-132-0x0000000000000000-mapping.dmp